Thursday, April 3, 2014

CCSK Study: Domain 13 - Virtualization

  • Benefits of virtualization are well known but this also brings up various security concerns
  • VM Guest Hardening
    • Guests should still have firewall, hips, web app protection, antivirus, FIM, and log monitoring
    • Can be delivered on a guest by guest basis or via hypervisor based apis
  • Hypervisor Security
    • Hypervisor should be hardened based on best practices
    • Also consider physical security
  • Inter-VM Attacks
    • VM Communication can occur on the backplane and thus traditional network security is blind to that communication
    • Various solutions (in-line appliances on the vswitch, for example)
    • Also need to consider VM migration and how to keep track of traffic/flow
  • Performance Concerns
    • The resource cost of putting protection mechanism on each guest is great
    • Consider options at the hypervisor level
  • Operational Complexity from VM Sprawl
    • large attack surface due to many requests for VM and poor management of VMs once created
  • Instant-On Gaps
    • VM can be secured, and then turned off.  When turned off it could then go out of date (say with security patches).  
    • How do you deal with this VM when it is booted back up?
      • Could use NAC to prevent network access until patches are up-to-date
  • VM Encryption
    • images are vulnerable to theft or modification
    • images could be encrypted all the time
      • performance impact
    • Use DLP tools to prevent ex filtration of image
  • Data Co mingling
    • mixed-mode deployment (vms with different security classes hosted together)
    • need to use VLANs / firewalls / etc to ensure proper isolation
  • VM Data Destruction
    • Need to zero disks after migration
  • VM Image Tampering
    • pre-configured templates may not be what you think they are
  • In-Motion VM
    • how do you audit/track vm's in motion?  What if they cross jurisdictional boundaries?
  • Recommendations
    • identify type of virtualization in use for CSP
    • try to implement a zoned approach
    • secure each OS via guest-tools or API based tools
    • encrypt images when not in use
    • use secure baselines / hardening practices
    • ensure security assessment tools take into account virtualization
    • employ virtual patching techniques to prevent VMs on boot up / migration

This chapter is short and sweet.  The security concerns with virtualization are vast, unfortunately the solutions have not kept pace.  Any solution at this point would be a custom type of solution that involves multiple different technologies.  Even then, it will take some time for existing providers to update their software to reliably account for virtualization technologies.  Compound this with the sheer network speed of a backplane.  Capturing and analyzing all this traffic is a large feat. 

As a client of a service provider, my recommendation would be to make a list of all the security tools you require.  Try, as much as possible, to push the cost of those recommendations onto the provider.  You probably won't like the cost of mandatory antivirus when you are paying by the IOP to run it.